I have some questions about cryptography that likely have simple answers, but I haven't found a good online resource:

1. I understand that cryptography depends in part on the difficulty of factoring the product of two (very) large prime numbers, but how are those large prime numbers generated in a relatively quick way? In other words, is it easier to find primes than to factor their products? And, if so, why?

2. This is a related question, but why is it that the product of two large primes is so difficult to factor?

3. Finally, I seem to remember that prime numbers become much rarer as numbers get larger - so how is it that there are enough primes to make cryptography secure?

1. yes, it is much easier to test if a number is prime (polynomial), than it is to factor a prime (unknown if polynomial). even though factoring a prime is not known to be NP-complete, this is kind of like many other NP-complete problems, where something like finding the shortest traveling salesman path is much harder than verifying that the path is legitimate. to answer your question we just try out a lot of numbers and test if each one is prime. (for actual cryptographic application, there are other properties that a prime needs to be satisfy before it can be safely used)

2. because they are big numbers. and there are a lot of possible answers -- if the number is n bits long, you need to consider 2^(n/2) possible candidates, which is a lot. i guess besides that, you could ask why multiplication is so easy!

3. they get rarer, but pretty slowly. on average one out of every log n (natural log) numbers is prime, if you are searching from 1 to n. therefore, if you want your prime to be exactly 2048 bits long, there are around 2^2048 / log(2^2048) primes of that size, which is something like 10^613 -- a lot. primes are kind of rare, but not that rare, and there are a lot of numbers, so it doesn't matter

Last edited by >-) on Mon May 01, 2017 2:09 am UTC, edited 1 time in total.

>-) wrote:1. yes, it is much easier to test if a number is prime (polynomial), than it is to factor a prime (unknown if polynomial). even though factoring a prime is not known to be NP-complete, this is kind of like many other NP-complete problems, where something like finding the shortest traveling salesman path is much harder than verifying that the path is legitimate. to answer your question we just try out a lot of numbers and test if each one is prime. (for actual cryptographic application, there are other properties that a prime needs to be satisfy before it can be used securely)

I don't understand what the reference to polynomial means. Does it mean processing time? If generating primes is easy, how do we know that various programs aren't using some flawed method to generate the same set of primes (pretend that the set is a million common primes) such that the encryption scheme could be broken without much trouble?

polynomial means the running time grows polynomially in the size of the prime you want to generate. for example, if the polynomial were n^2, you could guarantee testing if a 4096 bit number is prime would take not more than 4^2 = 16 times as long as testing a 1024 bit number

factoring is not known to be polynomial time for any polynomial, so there is no such k for which you can say factoring a 4096 bit number takes at most 4^k times as long as factoring a 1024 bit number. (well there maybe some such algorithm, we just don't know it yet)

since we generate by picking random numbers and testing if each one is a prime, i don't think the scenario described by you could happen unless we are using the same flawed random number generators which only generate the same set of numbers. of course, the NSA has been known to backdoor random number generators for pretty much that reason ...

>-) wrote:polynomial means the running time grows polynomially in the size of the prime you want to generate. for example, if the polynomial were n^2, generating a 4096 bit prime would take 4^2 = 16 times as long as generating a 1024 bit prime.

factoring is not known to be polynomial time for any polynomial, so there is no such k for which you can say factoring a 4096 bit number takes at most 4^k times as long as factoring a 1024 bit number. (well there maybe some such algorithm, we just don't know it yet)

since we generate by picking random numbers and testing if each one is a prime, i don't think the scenario described by you could happen unless we are using the same flawed random number generators which only generate the same set of numbers. of course, the NSA has been known to backdoor random number generators for pretty much that reason ...

But how can it be that generating large primes is that much easier than factoring them? Don't you have to factor them at least in part in order to know whether they're prime in the first instance?

for some intuition, suppose i randomly generate a function f which maps the integers from 1 to 2^1000 to integers from 1 to 2^1000, and don't allow myself access to the actual machine running the function. let set S be the domain of f

it is very easy to find a number in S: i just plug some arbitrary number into f and see what the output isit is much more difficult to test if a number n is in S! i would need to randomly guess at what input caused n to be output

in particular, note that i don't have to try test if a number is in S to find a number in S, since i have access to the function f.

here's another example, in the same vein. suppose there are 1000 doors and there are 100 distinct animals, with each door having 0 or 1 animals behind itthen if i ask you to name one of the 100 animals, it is not that hard -- you just open a few doors until you see an animal, and tell me the nameif i ask you to find which door has the pig behind it, then you will probably have to open several hundred doors before you find it

>-) wrote:no, it is possible to quickly prove that a number is prime without trying to factor it!the first (and possible only known) deterministic algorithm for doing so is the AKS primality testhttps://en.wikipedia.org/wiki/AKS_primality_test

for some intuition, suppose i randomly generate a function f which maps the integers from 1 to 2^1000 to integers from 1 to 2^1000, and don't allow myself access to the actual machine running the function. let set S be the domain of f

it is very easy to find a number in S: i just plug some arbitrary number into f and see what the output isit is much more difficult to test if a number n is in S! i would need to randomly guess at what input caused n to be output

in particular, note that i don't have to try test if a number is in S to find a number in S, since i have access to the function f.

here's another example, in the same vein. suppose there are 1000 doors and there are 100 distinct animals, with each door having 0 or 1 animals behind itthen if i ask you to name one of the 100 animals, it is not that hard -- you just open a few doors until you see an animal, and tell me the nameif i ask you to find which door has the pig behind it, then you will probably have to open several hundred doors before you find it

So the bottom line is as follows: (1) it's fairly easy to generate large primes through some method that's been proved to generate only prime numbers; (2) it's similarly easy to multiple those large primes; (3) one thing that's really difficult in mathematics is to factor the product of two prime numbers (unless one of the primes is two); and (4) we're reasonably certain that the method that we're using to generate large primes is doing so randomly such that the primes can't be guessed.

We don't have methods that generate only primes, but we can (relatively quickly) check if a number is prime, and we have methods that generate mostly primes.

Also, it's easy to factor out any small primes, not just 2. The difficulty is when the primes in question have hundreds of digits.

Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.---If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

MathDoofus wrote:(4) we're reasonably certain that the method that we're using to generate large primes is doing so randomly such that the primes can't be guessed.

Speaking of *, it's easy to pick truly random numbers –you just need some truly random noise like atmospheric noise as initial values for a (cryptographically secure) random number generator. But like >-) said in the first reply, the primes that are used for cryptography have some more restrictions used to have some restrictions. Well, the restriction of "make one prime a couple of magnitudes larger than the other" is still in place. (if they're not, you just start searching for primes near the square root of the product) I don't know if there are other restrictions in place.